Bug 1805135 (CVE-2020-2732) - CVE-2020-2732 Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources
Summary: CVE-2020-2732 Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to acce...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-2732
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1806817 1806818 1806819 1806820 1806816 1824398 1824399
Blocks: 1805137
TreeView+ depends on / blocked
 
Reported: 2020-02-20 10:49 UTC by Marian Rehak
Modified: 2020-06-16 11:55 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor.
Clone Of:
Environment:
Last Closed: 2020-05-12 16:32:14 UTC


Attachments (Terms of Use)
Preliminary patch (2.52 KB, patch)
2020-02-20 10:52 UTC, Marian Rehak
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2172 None None None 2020-05-18 01:01:28 UTC
Red Hat Product Errata RHBA-2020:2173 None None None 2020-05-18 02:22:18 UTC
Red Hat Product Errata RHBA-2020:2578 None None None 2020-06-16 11:55:42 UTC
Red Hat Product Errata RHSA-2020:2102 None None None 2020-05-12 15:27:11 UTC
Red Hat Product Errata RHSA-2020:2171 None None None 2020-05-14 19:07:01 UTC

Description Marian Rehak 2020-02-20 10:49:58 UTC
Under certain circumstances, an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources that are supposed to be inaccessible to the L2 guest according to L1 hypervisor configuration.

Only Intel processors are affected. It requires netsted virtualization to be enabled, ie. kvm-intel.nested=1.

Upstream patch(es):
-------------------
  -> https://www.spinics.net/lists/kvm/msg208259.html
  -> https://git.kernel.org/linus/07721feee46b4b248402133228235318199b05ec
  -> https://git.kernel.org/linus/35a571346a94fb93b5b3b6a599675ef3384bc75c
  -> https://git.kernel.org/linus/e71237d3ff1abf9f3388337cfebf53b96df2020d

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/02/25/3

Comment 1 Marian Rehak 2020-02-20 10:50:06 UTC
Acknowledgments:

Name: Paolo Bonzini (Red Hat)

Comment 2 Marian Rehak 2020-02-20 10:52:19 UTC
Created attachment 1664312 [details]
Preliminary patch

Comment 3 Prasad J Pandit 2020-02-25 05:18:17 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1806816]

Comment 8 errata-xmlrpc 2020-05-12 15:27:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2102 https://access.redhat.com/errata/RHSA-2020:2102

Comment 9 Product Security DevOps Team 2020-05-12 16:32:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2732

Comment 10 errata-xmlrpc 2020-05-14 19:06:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2171 https://access.redhat.com/errata/RHSA-2020:2171


Note You need to log in before you can comment on or make changes to this bug.